Threat Research

ASEC Weekly Malware Statistics (April 3rd, 2023 – April 9th, 2023) – ASEC BLOG

Securonix

ASEC’s RAPIT weekly analysis (Apr 3–9, 2023) shows backdoors as the dominant category (61.1%), followed by infostealers (20.8%), downloaders (16.9%), and ransomware (1.1%). RedLine leads the threat list with over half of detections, with AgentTesla, GuLoader, Amadey, and Formbook also highlighted for their distinctive behaviors and distribution methods. #RedLine #AgentTesla #GuLoader #Amadey #Formbook

Keypoints

  • Backdoor malware is the top category in the weekly stats, accounting for 61.1% of detections.
  • RedLine is the No. 1 threat (52.2%), capable of stealing browser/FTP/crypto wallet data and receiving commands from its C2 server to download more malware.
  • AgentTesla ranks No. 2 (11.1%), leaking credentials from web browsers, emails, and FTP clients, often distributed via spam-invoice themed emails.
  • GuLoader ranks No. 3 (6.9%), a downloader that executes payloads in memory and uses various download URLs (Google Drive, Discord, etc.).
  • Amadey ranks No. 4 (6.4%), a downloader that can fetch additional malware and has been used to install ransomware such as LockBit.
  • Formbook ranks No. 5 (3.6%), an infostealer that injects into legitimate processes to steal credentials and supports keylogging and form grabbing, with multiple C2 URLs listed.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Distribution via spam emails disguised as invoices, shipment documents, and purchase orders. ‘Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders.’
  • [T1105] Ingress Tool Transfer – Downloading and executing additional malware from remote servers (e.g., GuLoader, Amadey, RedLine updates, and Formbook payloads). ‘download additional malware and runs it.’
  • [T1071.001] Web Protocols – Command and control communications over web protocols used by RedLine to reach its C2 servers. ‘The following are the confirmed C&C server domains for RedLine: …’
  • [T1027] Obfuscated/Compressed Files and Information – Downloaded GuLoader is encoded and executed in memory to avoid detection. ‘the downloaded file is encoded, not PE’ and ‘downloaded on memory to avoid detection.’
  • [T1055] Process Injection – Formbook is injected into normal processes (e.g., explorer.exe and system32) to operate covertly. ‘Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32)’.
  • [T1555.003] Credentials in Web Browsers – Formbook can steal credentials saved in web browsers. ‘credentials saved in web browsers, emails, and FTP clients.’
  • [T1056.001] Keylogging – Formbook captures keystrokes (and clipboard/web form data) to exfiltrate information. ‘the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.’

Indicators of Compromise

  • [IP Address] RedLine C2 endpoints – 176.113.115.145:4125, 77.91.124.145:4125, 5.206.224.176:46989, 83.217.11.28:30827, 82.115.223.9:28881, 31.220.76.124:11620, 152.89.196.149:2920, 172.177.191.179:9001
  • [URL] GuLoader download URLs – hxxp://124.71.228.145/SJtQkpVnUoYtRSqkXXSs240.bin, hxxp://194.55.224.251/xx/JydujS92.bin, hxxp://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin, hxxp://5.255.110.224/klErcNeTFQR182.emz, hxxp://albacomplett.hu/GB.bin, hxxp://avpqsnyw3.cf/wp-includes/VGFVmKxwJFpEz245.bin, hxxp://cdn.discordapp.com/attachments/1075619462914514978/1092956816876511272/ttt.bin, hxxp://drive.google.com/uc?export=download&id=16yXQ3Gl0c0wY5VEbP_L47kVKr-IWqM4s, hxxp://onedrive.live.com/download?cid=442E25470F854C65&resid=442E25470F854C65%213175&authkey=AD4rFyQYMAuU1CQ, hxxp://vacanzeposada.it/sktyrecki/PprkFHnS81.bin
  • [URL] RedLine C2 domains – 176.113.115.145, 77.91.124.145, 5.206.224.176, 83.217.11.28, 82.115.223.9, 31.220.76.124, 152.89.196.149, 172.177.191.179 (with ports)
  • [URL] AgentTesla SMTP-based exfiltration endpoints – smtp.yandex.com, mail.blocexpert.eu, mail.rapidcheckng.com (credentials and receivers listed in article)
  • [File Name] AgentTesla-related sample names – Invoice.exe, Device Images.exe, New Prices List.exe, ORDER_110280.exe, Payment Swift USD45,000.exe, paymentswift2020297830.pdf.exe, SO# A56DX04471.exe, TT Copy.exe
  • [URL] Formbook C2 URLs – http://www.copebees.online/pz6u/, http://www.doyuip.xyz/my28/, http://www.fashiontwin.info/tic4/, http://www.fluttering.info/gp8u/, http://www.gadpuch.website/6qne/, http://www.hopspot.info/epdb/, http://www.lorsize.xyz/r013/, http://www.mentospk.online/sn72/, http://www.mfoles.xyz/ny17/, http://www.naruot.xyz/jr22/, http://www.peiphitan.com/poub/, http://www.seculw.xyz/de12/, http://www.shapshit.xyz/u2kb/, http://www.userflo.top/dgwm/
  • [URL] GuLoader download attempts via Google Drive/Discord/OneDrive/Dropbox – various examples listed in the article

Read more: https://asec.ahnlab.com/en/51274/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint